NAT/Portforward VIPs block



  • Thank you Stephen. I'm just having an issue with the rules now. I able to get incoming traffic but outgoing to blocked. For example, have a laptop I'm using to test it and I'm able to remote into it. But when I go to a website it fails to connect. How would I set up the firewall for outgoing traffic?


  • Netgate Administrator

    You need a firewall rule (or rules) on the vlan6 interface to allow traffic from clients on that to reach external services.

    On LAN there is a default rule to pass that traffic but on all other internal interfaces it must be added.

    Steve



  • Steve,

    Im still having an issue with the rules. Could you help/explain to me how to set up source/destination for the rules for this? I'm kind of struggling with it. Thank you.


  • Netgate Administrator

    To just allow traffic out from clients on the VLAN6 subnet you just need a single rule on the VLAN6 interface.

    Action: Pass
    Interface: VLAN6
    Protocol: any
    Source: VLAN6net
    Destination: any

    That will allow clients to reach any other IP.

    Steve



  • Would I have to do any rules on the LAN since its a VLAN using the LAN interface? Still getting a NO_TRAFFIC:SINGLE on the VLAN6.

    Current LAN rules allow all. But not sure I have to be more specific for that VLAN so I'm using it for a direct connection.


  • LAYER 8 Global Moderator

    If you created a vlan, the rules on the parent interface - ie lan say has ZERO to do with traffic on vlan



  • Is there a dump file I can do that you could look at to see if I'm overlooking something?


  • LAYER 8 Global Moderator

    you can sniff sure, just use tcpdump.. if you use -e with tcpdump you can see the vlan tags..

    If if the rule on the parent physical interface had anything to do with the traffic on the vlan - then vlans would be completely USELESS nonsense since you wouldn't actually be isolating the traffic. Might as well just run multiple layer 3 on the same layer 2 in such scenario..

    You can also sniff using the diag / packet capture web gui.. But doesn't allow you to see the vlan tags because you can not call out -e

    Where exactly are you seeing
    "NO_TRAFFIC:SINGLE on the VLAN6."

    What state exactly... That info doesn't mean much without more context.

    What exactly is not working? What do you have configured on your switch to allow for the vlan6 you setup, guessing you used vlan ID 6 when you setup that vlan in pfsense? So you have trunk connected to your physical interface on pfsense frm your switch, and then port where you laptop connected via untagged access port in vlan 6, etc.


  • Netgate Administrator

    Have you actually created a VLAN6 interface in Interfaces > Assignments > VLANs?

    Steve



  • When I look at the "States Detail" under rules for VLAN its stating NO_TRAFFIC:SINGLE" Im unable to get online.
    I have a trunk port setup on my switch and my other VLANs are working properly but using a local subnet. I do have Port 6 tagged for VLAN 6.

    I disabled all the NAT for VLAN 6 and keep the rest all the same.

    Steve: Yes I have VLAN 6 created and I have the public IP block assigned to that interface.

    What specific rules I would have to create on the WAN?


  • Netgate Administrator

    You shouldn't need any rules on WAN to allow traffic out from the VLAN6 subnet.

    Try to ping out from Diag > Ping choosing the VLAN6 interface as the source address.

    It sounds like maybe your ISP is not actually routing that subnet to your WAN IP.

    Steve



  • I cant ping from that interface. this is what the ISP sent to me

    set routing-options static route 65.15X.XXX.X44/29 next-hop 67.1XX.XXX.198

    set routing-options static route 63.23X.XXX.X76/28 next-hop 67.1XX.XXX.198

    So I used the /29 for the WAN and the /28 for VLAN6


  • LAYER 8 Global Moderator

    So they directly attached it to you... Not routed it..



  • Ok knowing that now. How would I go about configuring the IPs then?


  • LAYER 8 Global Moderator

    Get them to actually route it to you... Or you would have to use vips and port forwarding.

    They are also having you set gateways outside the IP block... Not very good idea to be honest as well.



  • If i were to use VIP and port forwards would I have to port forward any devices they use on the network or can you they do that through there firewall? Also with the portforward what IP would be used for the gateway?



  • @johnpoz
    Could I just assign another nic interface for that second IP block? then Have the VLAN go to that?


  • LAYER 8 Netgate

    No. The ISP should route 63.23X.XXX.X76/28 to an address in 65.15X.XXX.X44/29. They should provision your service properly.



  • Thank you all for your help. I got the ISP to route the IPs and it worked how you all explained it.


  • Netgate Administrator

    Nice. 😀